Microsoft kicked off its 2026 patching calendar with a hefty first Patch Tuesday, resolving 112 CVEs — roughly twice the volume of the prior month. The standout fix is for an actively exploited zero-day in the Desktop Window Manager (DWM), CVE-2026-20805 (CVSS 5.5), an information-disclosure flaw that leaks memory-address data attackers can use to defeat protections and set up follow-on intrusions. The release also flags eight bugs as more likely to be exploited, including two NTFS remote-code-execution issues and several elevation-of-privilege defects.

The DWM zero-day: CVE-2026-20805

DWM is the Windows component responsible for compositing and drawing application windows on screen, and it leans on GPU acceleration to render the desktop UI. It also carries a long track record of security defects. According to Tenable's Satnam Narang, CVE-2026-20805 marks the first information-disclosure zero-day reported in DWM.

Microsoft assigns the bug only a moderate rating, with a CVSS score of 5.5. The catch is that exploitation has already been confirmed in the wild. An information leak like this is rarely dangerous on its own, but the memory-layout details it exposes are valuable building blocks: an attacker can pair the leaked addresses with a separate memory-corruption flaw to escalate privileges or steal data. As the independent analysis at Inside CVE-2026-20805 describes, the weakness sits in the core component that renders the desktop, composes windows, and drives GPU-based UI acceleration. Because DWM runs as part of the standard desktop session, the surface for abuse is broad.

Eight bugs flagged as more likely to be exploited

Beyond the zero-day, Microsoft marked eight vulnerabilities in this batch as more likely to see exploitation.

Two are remote-code-execution flaws in NTFS — CVE-2026-20840 and CVE-2026-20922, both rated CVSS 7.8. They are buffer overflows that let a local attacker execute arbitrary code. Researchers recommend patching these quickly, since third-party reporting makes it probable that public technical write-ups will surface.

The remaining six are elevation-of-privilege issues, each scored 7.8. They affect:

  • Windows Installer
  • Windows Error Reporting
  • the Common Log File System (CLFS) driver
  • Routing and Remote Access
  • the Ancillary Function Driver for WinSock (AFD)
  • Desktop Window Manager (DWM)

Lower-probability bugs still worth prioritizing

A few flaws Microsoft considers less likely to be exploited still deserve early attention.

CVE-2026-20876 is an elevation-of-privilege flaw in the Windows VBS Enclave. Successful abuse could let an attacker cross Windows isolation boundaries and reach trusted execution layers — a path that puts credentials and other secrets at risk.

Two critical-rated Office remote-code-execution bugs, CVE-2026-20952 and CVE-2026-20953 (both CVSS 8.4), round out the priority list. Both can be set off through a trusted document or via the Preview Pane, and in some scenarios require no user interaction at all, which makes them especially attractive to attackers using malicious file delivery.

Mitigation

Apply the January 2026 cumulative updates promptly, prioritizing the actively exploited DWM zero-day (CVE-2026-20805), the two NTFS RCE flaws (CVE-2026-20840 and CVE-2026-20922), and the no-interaction Office RCEs (CVE-2026-20952 and CVE-2026-20953). For the Office bugs, organizations that cannot patch immediately should consider disabling the Preview Pane and tightening handling of untrusted documents as an interim measure.

Technical background

Information-disclosure flaws such as the DWM zero-day are valuable to attackers chiefly as enablers for exploit chains. Modern Windows defenses like Address Space Layout Randomization (ASLR) work by placing code and data at unpredictable memory addresses, so that an attacker who controls a write or jump cannot reliably know where to aim. A leak that reveals a single valid kernel or process address effectively undoes that randomization for the affected region, giving the attacker a reliable target to combine with a memory-corruption primitive (for example, one of the NTFS buffer overflows in the same release). This is why a "moderate" CVSS 5.5 leak that is already being exploited can be more urgent in practice than its score implies — it is the missing piece that makes higher-severity bugs dependable.